Shubham Kumar HomeAboutDonateSubscribeArchivesCategoriesTagsProjectsContact Me
Hackthebox - Investigation
|htbmachinesretired|

HackTheBox - Investigation

Initial Enumeration

nmap scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# Nmap 7.92 scan initiated Sun Jan 22 10:28:30 2023 as: nmap -vvv -sC -sV -oN nmap/investigation 10.129.139.67
Nmap scan report for 10.129.139.67
Host is up, received echo-reply ttl 63 (0.19s latency).
Scanned at 2023-01-22 10:28:31 IST for 14s
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 2f:1e:63:06:aa:6e:bb:cc:0d:19:d4:15:26:74:c6:d9 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC8CUW+gkrjaTI+EeIVcW/8kCM0oaKxGk63NkzFaKj8cgPfImUg8NbMX7xSoQR2DJP88LCJWpm/7KgYyHgaI4w29TRZTGFrv1MKoALQKO/6GDUxLtoHaSA1KrXph74L9eNp/Q/xAzmjfNqLL3qCAotSUZndEWV7C7EQYj73e88Rvw+bV8mQ0O+habEygGVEFuEgOJpN0e3YM3EJoxo1N5CVJMBUJ4Jb7FoYYckIAYTZTV3fuembGRoG0Lvw6YbIOYA8URxLqcBxsMSOkznhf219fl2KXiT9Y7505L/HAeWG4NW4LAuDereMuaUDe4vWEMHYx0KH7m3UuJ7zxcPqHU7K94KW8cZVNlWjoNPDKrPTEgPDfDRlUNpVRyE87DcBgOzNGNFJHYhj2K46RKtv+TO9MjYKvC+nXFSNgPkdFaCQcfpqd61FtaVsin5Ho/v1XfhqDG0d7N7uDM28zCmNVfnl9+MI0jpBmiFaH8V0ZjR7EZlkk+7Xb3bI2Kq3KVaif7s=
|   256 27:45:20:ad:d2:fa:a7:3a:83:73:d9:7c:79:ab:f3:0b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBG5ZpYGYsM/eNsAOYy3iQ9O7/OdK6q63GKK1bd2ZA5qhePdO+KJOOvgwxKxBXoJApVfBKV0oVn3ztPubO2mdp5g=
|   256 42:45:eb:91:6e:21:02:06:17:b2:74:8b:c5:83:4f:e0 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ4m4ta/VBtbCv+5FEPfydbXySZHyzU7ELt9lBsbjl5S
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.41
|_http-title: Did not follow redirect to http://eforenzics.htb/
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: Host: eforenzics.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jan 22 10:28:45 2023 -- 1 IP address (1 host up) scanned in 15.03 seconds

We see two service to be open 22 and 80 and on 80 we are redirected to eforenzics.htb lets add that to our host file and try to open it.

Web

Opening the Page we see

On the Services Tab we see we can upload jpg file for forensic analyis

Uploading an image we see we get a report

and the report look like an exiftool output.

Maybe we can do some command injection using Looking for Exploit we see we can have command injection using <command> |

https://gist.github.com/ert-plus/1414276e4cb5d56dd431c2f0429e4429

And we get command execution using the payload

there are lot of bad characters so we just place our payload in index.html and use curl to get it and execute it and we get a shell.

www-data -> smorton

Looking for anything owned by smorton we see

Lets download and try to see what it is.

Running file command we see it to be

We can open .msg file on https://www.encryptomatic.com/viewer/

Which give us evtx-logs we can use https://github.com/omerbenamram/evtx/releases to dump it as a xml or json

in the dump file we see that Def@ultf0r3nz!csPa$$ was entered in place of TargetUsername

smorton -> root

Running sudo -l we see we can run binary

It look like a elf file

Investigating we see 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57

int main(int argc,char **argv)

{
  __uid_t uid;
  int password;
  FILE *fd;
  undefined8 curlObject;
  char *__s;
  char *cmd;
  
  if (argc != 3) {
    puts("Exiting... ");
                    /* WARNING: Subroutine does not return */
    exit(0);
  }
  uid = getuid();
  if (uid != 0) {
    puts("Exiting... ");
                    /* WARNING: Subroutine does not return */
    exit(0);
  }
  password = strcmp(argv[2],"lDnxUysaQn");
  if (password != 0) {
    puts("Exiting... ");
                    /* WARNING: Subroutine does not return */
    exit(0);
  }
  puts("Running... ");
  fd = fopen(argv[2],"wb");
  curlObject = curl_easy_init();
                    /* CURLOPT_URL */
  curl_easy_setopt(curlObject,0x2712,argv[1]);
  curl_easy_setopt(curlObject,0x2711,fd);
  curl_easy_setopt(curlObject,0x2d,1);
                    /* Get the Data from CURL */
  password = curl_easy_perform(curlObject);
  if (password == 0) {
    password = snprintf((char *)0x0,0,"%s",argv[2]);
    __s = (char *)malloc((long)password + 1);
    snprintf(__s,(long)password + 1,"%s",argv[2]);
    password = snprintf((char *)0x0,0,"perl ./%s",__s);
    cmd = (char *)malloc((long)password + 1);
    snprintf(cmd,(long)password + 1,"perl ./%s",__s);
    fclose(fd);
    curl_easy_cleanup(curlObject);
    setuid(0);
                    /* Run perl <.pl file from CURL> */
    system(cmd);
    system("rm -f ./lDnxUysaQn");
    return 0;
  }
  puts("Exiting... ");
                    /* WARNING: Subroutine does not return */
  exit(0);
}

creating a simple payload as exec "/bin/sh"; and serving it

Extra

Passing the code to Chat-GPT we see the explanation seem correct

Author: Shubham Kumar
Link: https://f3v3r.in/htb/machines/retired/investigation/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.
linuxwriteupretiredhacktheboxmediumcommand injectionreverse-engineeringperl